https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317476#M94965 <P>I believe you need this regex:</P> <P><CODE>| rex field=source "^(?&lt;mything&gt;[^_\.]*)(_[^\.]*)?\.log"</CODE></P> <P>The one @cusello posted above is close but will not extract the lines that do not contain underscores. He's also right, though, that you can't have an <CODE>inputlookup</CODE> in the middle of your search. Perhaps you meant to append the contents of the lookup file to the existing search results, in which case you'd want <CODE>...| append [ | inputlookup append=T filetypes_prod.csv ] | stats count by filetype...</CODE></P> Wed, 18 Oct 2017 15:28:29 GMT elliotproebstel 2017-10-18T15:28:29Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317472#M94961 <P>I have a list of files similar to this list:</P> <P>FileObjMgr_01235_567.log<BR /> EIM_0080123_45.log<BR /> EIM_01031234_56.log<BR /> EIM_01272345_67.log<BR /> FINSObjMgr_56789_1234.log<BR /> File3Svc.log<BR /> SCFile_123456_1345.log<BR /> SRFile_5794_5879.log<BR /> ServerMgr_54525852_452.log<BR /> SvrTaskPersist_857494_58674.log<BR /> WfProcBatch_748490_5857.log<BR /> WfProcMgr_2971_9928.log<BR /> XMLPReporter_8751_35485.log</P> <P>I am trying to extract the first part of the file name up to the "<EM>" character. Some files do not have an "</EM>" so I need the name up to .log. So far I've only been able to successfully pull names using this:</P> <P>index= sourcetype=:* | rex field=source ".<EM>/(?[A-Z]\w\w\w\w\w\w\w).</EM>.log" | inputlookup append=T filetypes_prod.csv| stats count by filetype | eval Status=if(count&lt;2, "Missing", "OK") | sort filetype| outputlookup filetypes_prod.csv</P> <P>However I am getting too many characters as below. How to I extract just to the "_" and, if that is not present to .log?</P> <P>EAIObjMg<BR /> EIM_0080<BR /> EIM_0103<BR /> EIM_0127<BR /> EIM_0151<BR /> EIM_0171<BR /> EIM_0191<BR /> EIM_0223<BR /> FINSObjM<BR /> MASL3Svc<BR /> SCBroker<BR /> SRBroker<BR /> ServerMg<BR /> SvrTaskP<BR /> WfProcBa<BR /> WfProcMg<BR /> XMLPRepo</P> Tue, 29 Sep 2020 16:20:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317472#M94961 sheloaha 2020-09-29T16:20:20Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317473#M94962 <P>Sorry. That should read "up to the "_" character." </P> Wed, 18 Oct 2017 15:00:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317473#M94962 sheloaha 2017-10-18T15:00:44Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317474#M94963 <P>Hi sheloaha,<BR /> If I correctly understand, do you like to extract only chars before the first "_" if present, correct?<BR /> if this is your need use this regex</P> <PRE><CODE>| rex field=source "^(?&lt;myfield&gt;[^_]*)" </CODE></PRE> <P>Viewing you search I see an error: you cannot use <CODE>| inputlookup</CODE> in the middle of a search, only at starting point.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 18 Oct 2017 15:09:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317474#M94963 gcusello 2017-10-18T15:09:27Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317475#M94964 <P>you can try | rex field=source "(?\w*)_ "</P> Wed, 18 Oct 2017 15:27:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317475#M94964 kunalmao 2017-10-18T15:27:25Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317476#M94965 <P>I believe you need this regex:</P> <P><CODE>| rex field=source "^(?&lt;mything&gt;[^_\.]*)(_[^\.]*)?\.log"</CODE></P> <P>The one @cusello posted above is close but will not extract the lines that do not contain underscores. He's also right, though, that you can't have an <CODE>inputlookup</CODE> in the middle of your search. Perhaps you meant to append the contents of the lookup file to the existing search results, in which case you'd want <CODE>...| append [ | inputlookup append=T filetypes_prod.csv ] | stats count by filetype...</CODE></P> Wed, 18 Oct 2017 15:28:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317476#M94965 elliotproebstel 2017-10-18T15:28:29Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317477#M94966 <P>Correct suggestion:</P> <PRE><CODE>| rex field=source "^(?&lt;myfield&gt;[^_\.]*)" </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 18 Oct 2017 15:37:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317477#M94966 gcusello 2017-10-18T15:37:24Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317478#M94967 <P>This worked great! And thanks everyone for correcting my inputlookup error.</P> Wed, 18 Oct 2017 19:04:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-file-name-up-to-a-specific-character/m-p/317478#M94967 sheloaha 2017-10-18T19:04:51Z